I had a recurring hacker on my site that was modifying the .htaccess file to include pharma links for search engine bots. I've since solved that problem by ditching Joomla (although I stress to add it was probably a dodgy Joomla extension rather than Joomla itself).

However I'm still curious to find out how they did it and whether they are still trying. Looking at my raw logs the one thing that really stands out is multiple attempts to load my listings.php script with and awful lot of code added to the query string. It happens hundreds of times in the logs, starting with an innocent looking:

GET /listing.php?id=10749 HTTP/1.1

- which is a valid request, but then shortly after that turns into:

GET /listing.php?id=10749%27+and+%27x%27%3D%27y HTTP/1.1

and then several hits later it can be:

GET /listing.php?id=999999.9+%2F*%2130000union+all+select+0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C
0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C
0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C
0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536*%2F-- HTTP/1.1

What I'm trying to figure out is what are they trying to do? SQL injection attack? Or is this possibly related to the previous attach on .htaccess?

The knowledge of my peers would be appreciated,

Thanks,

Xandir

[edited by: phranque at 11:06 am (utc) on Oct 12, 2013]
[edit reason] fix sidescroll [/edit]